Vulnerabilidades

*** Pendiente de traducción *** General Bytes Crypto Application Server (CAS) beginning with version 20201208 prior to 20220531.38 (backport) and 20220725.22 (mainline) contains an authentication bypass in the admin web interface. An unauthenticated attacker could invoke the same URL used by the product's default-installation / first-admin creation page and create a new administrative account remotely. By gaining admin privileges, the attacker can change the ATM configuration resulting in redirected funds. Public vendor advisories and multiple independent writeups describe the vulnerability as a call to the page used for initial/default installation / first administration user creation; General Bytes has not publicly published the exact endpoint/parameter name. The issue was actively exploited in the wild against cloud-hosted and standalone CAS deployments (scanning exposed CAS instances on ports 7777/443), and publicly acknowledged by the General Bytes in September 2022.

*** Pendiente de traducción *** A vulnerability was determined in Webull Investing & Trading App 11.2.5.63 on Android. This vulnerability affects unknown code of the file AndroidManifest.xml. This manipulation causes improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** A vulnerability was detected in SKTLab Mukbee App 1.01.196 on Android. This affects an unknown function of the file AndroidManifest.xml of the component com.dw.android.mukbee. The manipulation results in improper export of android application components. The attack must be initiated from a local position. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

*** Pendiente de traducción *** CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

*** Pendiente de traducción *** IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

*** Pendiente de traducción *** Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. An authenticated administrative user can execute arbitrary Java code on the server, resulting in remote code execution. In addition, improper input validation allows for arbitrary file write and server-side request forgery (SSRF), enabling interaction with internal or external systems. Successful exploitation can lead to full server compromise, unauthorized access to sensitive data, and further network exploitation.

*** Pendiente de traducción *** AliasVault is a privacy-first password manager with built-in email aliasing. A server-side request forgery (SSRF) vulnerability exists in the favicon extraction feature of AliasVault API versions 0.23.0 and lower. The extractor fetches a user-supplied URL, parses the returned HTML, and follows . Although the initial URL is validated to allow only HTTP/HTTPS with default ports, the extractor automatically follows redirects and does not block requests to loopback or internal IP ranges. An authenticated, low-privileged user can exploit this behavior to coerce the backend into making HTTP(S) requests to arbitrary internal hosts and non-default ports. If the target host serves a favicon or any other valid image, the response is returned to the attacker in Base64 form. Even when no data is returned, timing and error behavior can be abused to map internal services. This vulnerability only affects self-hosted AliasVault instances that are reachable from the public internet with public user registration enabled. Private/internal deployments without public sign-ups are not directly exploitable. This issue has been fixed in AliasVault release 0.23.1.

*** Pendiente de traducción *** The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as .env and .dev.vars. This vulnerability is fixed in 1.6.0.

*** Pendiente de traducción *** Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. When handling the list and vlanId parameters, the sub_ADBC0 helper function concatenates these user-supplied values into nvram set system commands using doSystemCmd, without validating or sanitizing special characters (e.g., ;, ", #). An unauthenticated or authenticated attacker can exploit this by submitting a crafted POST request, leading to arbitrary system command execution on the affected device.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: vhci: Prevent use-after-free by removing debugfs files early<br /> <br /> Move the creation of debugfs files into a dedicated function, and ensure<br /> they are explicitly removed during vhci_release(), before associated<br /> data structures are freed.<br /> <br /> Previously, debugfs files such as "force_suspend", "force_wakeup", and<br /> others were created under hdev-&gt;debugfs but not removed in<br /> vhci_release(). Since vhci_release() frees the backing vhci_data<br /> structure, any access to these files after release would result in<br /> use-after-free errors.<br /> <br /> Although hdev-&gt;debugfs is later freed in hci_release_dev(), user can<br /> access files after vhci_data is freed but before hdev-&gt;debugfs is<br /> released.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: mt7915: fix list corruption after hardware restart<br /> <br /> Since stations are recreated from scratch, all lists that wcids are added<br /> to must be cleared before calling ieee80211_restart_hw.<br /> Set wcid-&gt;sta = 0 for each wcid entry in order to ensure that they are<br /> not added again before they are ready.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work<br /> <br /> The brcmf_btcoex_detach() only shuts down the btcoex timer, if the<br /> flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which<br /> runs as timer handler, sets timer_on to false. This creates critical<br /> race conditions:<br /> <br /> 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()<br /> is executing, it may observe timer_on as false and skip the call to<br /> timer_shutdown_sync().<br /> <br /> 2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info<br /> worker after the cancel_work_sync() has been executed, resulting in<br /> use-after-free bugs.<br /> <br /> The use-after-free bugs occur in two distinct scenarios, depending on<br /> the timing of when the brcmf_btcoex_info struct is freed relative to<br /> the execution of its worker thread.<br /> <br /> Scenario 1: Freed before the worker is scheduled<br /> <br /> The brcmf_btcoex_info is deallocated before the worker is scheduled.<br /> A race condition can occur when schedule_work(&amp;bt_local-&gt;work) is<br /> called after the target memory has been freed. The sequence of events<br /> is detailed below:<br /> <br /> CPU0 | CPU1<br /> brcmf_btcoex_detach | brcmf_btcoex_timerfunc<br /> | bt_local-&gt;timer_on = false;<br /> if (cfg-&gt;btcoex-&gt;timer_on) |<br /> ... |<br /> cancel_work_sync(); |<br /> ... |<br /> kfree(cfg-&gt;btcoex); // FREE |<br /> | schedule_work(&amp;bt_local-&gt;work); // USE<br /> <br /> Scenario 2: Freed after the worker is scheduled<br /> <br /> The brcmf_btcoex_info is freed after the worker has been scheduled<br /> but before or during its execution. In this case, statements within<br /> the brcmf_btcoex_handler() — such as the container_of macro and<br /> subsequent dereferences of the brcmf_btcoex_info object will cause<br /> a use-after-free access. The following timeline illustrates this<br /> scenario:<br /> <br /> CPU0 | CPU1<br /> brcmf_btcoex_detach | brcmf_btcoex_timerfunc<br /> | bt_local-&gt;timer_on = false;<br /> if (cfg-&gt;btcoex-&gt;timer_on) |<br /> ... |<br /> cancel_work_sync(); |<br /> ... | schedule_work(); // Reschedule<br /> |<br /> kfree(cfg-&gt;btcoex); // FREE | brcmf_btcoex_handler() // Worker<br /> /* | btci = container_of(....); // USE<br /> The kfree() above could | ...<br /> also occur at any point | btci-&gt; // USE<br /> during the worker&amp;#39;s execution|<br /> */ |<br /> <br /> To resolve the race conditions, drop the conditional check and call<br /> timer_shutdown_sync() directly. It can deactivate the timer reliably,<br /> regardless of its current state. Once stopped, the timer_on state is<br /> then set to false.